When developing software or defending a network, it’s helpful to understand how malicious hackers hack. A dedicated attacker will fingerprint the intended host, starting first with available IP addresses and then perform TCP -- and sometimes UDP -- scans looking for active and listening TCP/IP ports. Each found port is then further fingerprinted to determine the listening application. For example, if port 80 is found, is it running Apache or IIS?
All the applications running on the targeted host are then recorded and the underlying operating system is enumerated. At this point, the attacker has eight primary, basic ways to break in. They are:
1. Log-on credential or password guessing/cracking
2. Buffer overflow
3. Application or OS vulnerability
4. Application or OS misconfiguration
5. Data malformation -- SQL injection, XSS, and so on
7. Client-side attack
8. Social engineering
Buffer overflows are responsible for many of the most popular, widespread attacks -- Blaster, Slammer, Ramen worm, and so on. A malicious hacker can code their own buffer overflow or choose from thousands of pre-coded buffer overflows found on the Internet. Milw0rm is one of the favorite buffer overflow download sites. Other Web sites come and go, but milw0rm lives on.
If you don’t want to download and compile a buffer overflow program, you can install the Metasploit framework. Buffer overflow hacking doesn’t get any easier than that, but Metasploit is still young and growing and contains just over 100 exploits.
OS or application misconfiguration is another popular hacker choice. I’ve audited many Web sites throughout the years, only to find that the Everyone group (or World group in Linux) had Full Control (or RWX) permissions to all files and folders. This means anyone connecting to that server has complete control of the box. Sometimes these servers have been up and misconfigured for years.
How does it happen? I saw the problem all the time in older versions of Windows: The administrator was trying to add one person or group with new permissions to a particular high-level folder, and Windows prompted them with a message dialog box similar to “Replace all permissions on files and folders beneath this level with these new permissions?” The administrator, not really understanding the consequences of their actions, replies “Yes” to ensure that their new permissions, for the one new user or group, get applied. But in reality, they’ve just replaced all previous permissions for all users with what should have been limited to one folder for one user or group.
Even when everything is patched and there are no misconfigurations, enterprising hackers can malform their input so that the accepting application barfs (yes, that’s a technical word), commingling expected data into executable commands. For example, many online databases do not contain appropriate data validation checks on incoming data. The hacker can place into a data field a command that ends up being executed on the database server to provide unauthorized remote access or dump data.
It’s important to remember that the vast majority of attacks against your network are automated, appearing in the form of viruses, worms, Trojans, and bots, and using a client-side attack with some form of social engineering.
A large majority of the attacks you read about in the newspaper -- stolen data and financial bank heists -- occur because some internal employee was tricked into running malicious code. The malware program then loads a back door which the attacker utilizes to compromise the host environment using the privileges of the unlucky employee.
Lastly, even if you have perfect security (and nobody really does), often the simplest thing a hacker can do is to ask IT or other employees for the access or password they need.
Every professional penetration tester can easily, and laughingly, recount numerous stories about how easy it is to get unauthorized access from a normal corporate employee. I often walk up to the CEO’s executive secretary and say something like, “Hello, my name is Roger Grimes. I’ve been hired by IT to do password penetration test auditing. I need the CEO’s password.”
How often does this work? So far, 100 percent of the time.
I recently told this story while teaching a class. A student who happened to be the security officer at a large firm declared that it wouldn’t work at his company. So, at lunch, with his permission, I went to the CEO’s secretary and asked my question. Did it work? Of course.
Several multi-year studies have shown that more than 60 percent of your workforce will reveal their real passwords to complete strangers on the street for a candy bar or something worth less than $2 -- a pen, a blank CD-ROM, and so on. I could not believe these statistics when I first heard them. But two years later, multiple studies, by different firms, conducted in many different countries, have all come up with the same results.
When developing software or creating a network security plan, stay focused on the primary eight methods of the attacker and plan and defend accordingly. And make sure your employees know not to reveal information to strangers, no matter now politely they ask.